Info

Disclosure

May 24, 2007

Discovery

May 24, 2007

Dates

Exploit

Unknown

Solution

Unknown

Description

appweb contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when using request with HTTP TRACE method in conjonction with certain browsers, which will disclose users's cookies or authentication data information resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 2.2.2 or higher, as it has been reported to fix this vulnerability.(TRACE method is disabled by default) Additionally, implementing the following change: set the 'TraceMethod' option to 'off' in appweb.conf.

Products

Mbedthis Software, LLC.	AppWeb	1.x.x
		2.0.x
		2.1.x
		2.2.0
		2.2.1
		0.x.x

References

CVE ID: 2007-3008 (see also: NVD)
Bugtraq ID: 24456
Secunia Advisory ID: 25636
ISS X-Force ID: 34854
Vendor Specific News/Changelog Entry: http://www.appwebserver.org/forum/viewtopic.php?t=996
http://www.mbedthis.com/products/appWeb/doc/product/newFeatures.html
Generic Informational URL: http://www.kb.cert.org/vuls/id/867593

Credit

Michael O'Brien - mbedthis.com>: - MbedThis

Direct URL: http://osvdb.org/35511

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Mbedthis Software, LLC.

AppWeb

References

Credit